Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant (Conficker.C) will begin checking for a payload to download on March 31st, 2009. Conficker.A and Conficker.B variants continue to check for payloads each with a distinct domain generation algorithm.
The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows
It receives further instructions by connecting to a server or peer and receiving a binary update. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
The worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication.
The "A" and "B" variants of Conficker will create an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.
Symptoms of infection
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled.
- Domain controllers respond slowly to client requests.
- System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
- On websites related to antivirus software, Windows system updates cannot be accessed.
- Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
- Port 445/TCP scanning (A/B)
- Multicast UPnP requests
- High-port TCP and UDP P2P Activity
- Abnormal DNS lookup activty
Experts say it is the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers, however a conservative minimum estimate is more like 3 million which is more than enough to cause great harm.
Another anti-virus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.
The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability.
The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.
On February 1, 2009, Schools in the town of Rochdale, England were infected. The virus spread to 13 schools estimated to have infected 7,500 computers.
On February 13, the Bundeswehr reported that some hundred of their computers were infected.
On March 27, 2009, the British Director of Parliamentary ICT released a (leaked) memo stating that the House of Commons computer network has been infected with the virus and called for all people who have access the network to use caution and to not connect any unauthorized equipment to the network.
On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.
As of February 13, 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the criminals behind the creation and/or distribution of Conficker.
Patching and removal
On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability. Removal tools are available from Microsoft, BitDefender, ESET, Symantec, Sophos, and Kaspersky Lab, while McAfee and AVG can remove it with an on-demand scan. While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media (through modifying the Windows Registry) is recommended. However the United States Computer Emergency Readiness Team describe Microsoft's guidelines on disabling Autorun as being "not fully effective," and they provide their own guides. Microsoft has released a removal guide for the worm via the Microsoft website.
Also, on March 16, 2009, BitDefender released an updated tool to remove the already famous Downadup/Conficker worm on a new domain that has not been blocked by the malicious computer code at a website called "bdtools.net", it also comes as a separate installer dedicated to network administrators. In this way, the scanner can be dispatched throughout networks in order to remotely scan and disinfect workstations.
Refer to Wikipedia for reference URLs http://en.wikipedia.org/wiki/Conficker
Text adapted from Wikipedia: All text on this page is available under the terms of the GNU Free Documentation License
If you have any information you wish to share with us, at HostExploit, or simply want to voice your views on Conficker please contact us by email through: jart (at) hostexploit (dot) com
Internal HostExploit Articles:
- Conficker Cabal.
- 03/08/09 Conficker C Analysis. Phillip Porras, Hassen Saidi, and Vinod Yegneswaran.
- 02/19/09 An Analysis of Conficker's Logic and Rendezvous Points. Phillip Porras et al.
- 02/12/09 The Conficker Cabal Announced. Jose Nazario.
- 01/16/09 Calculating the Size of the Downadup Outbreak. Toni.
- 10/23/08 Microsoft Security Bulletin MS08-067 – Critical.
- Conficker. Wikipedia.
Check to see if you are infected:
- Conficker Work Group infection test. Check for infection.
- 03/26/09 Hackers exploit Conficker interest.
- 03/26/09 Disabling AutoRun could block a Conficker attack. SC Staff.
- 03/25/09 Conficker time bomb ticks, but don't expect boom. Elinor Mills.
- 03/25/09 Companies encouraged to take 1st April Conficker attack seriously. Dan Raywood.
- 03/20/09 New Conficker worm set to attack on April 1 despite bounty.
- 03/20/09 A search is launched for Conficker's first victim. Robert McMillan.
- 03/20/09 Conficker evolves; adds new capabilities. Paul Mah.
- 03/20/09 Researchers hunting for Conficker's Patient Zero. Joel Hruska.
- 03/12/09 A new variant of the Conficker or Downadup worm has been spotted by Trend Micro. Nicole Kobie.
- 03/09/09 Conficker and Waledec lead to increase in spam for first months of 2009. SC Staff.
- 03/07/09 Conficker gets upgraded with defenses. Dan Goodin.
- 02/21/09 Fairfax Media fights Conficker worm. Rob O'Neill.
- 02/20/09 New Conficker variant looks same, acts differently. Andrew Nusca.
- 02/19/09 Conficker Worm Gets an Evil Twin. Robert McMillan.
- 02/18/09 Conficker Worm Hits Germany. Lauren Gerber.
- 02/13/09 Microsoft bounty for worm creator. Maggie Shiels.
- 02/13/09 Microsoft puts $250,000 bounty on Conficker worm author's head. Charles Arthur.
- 02/09/09 Conficker Worm Sinks French Navy Network. Robert McMillan.
- 02/06/09 Conficker Worm: Help Protect Windows from Conficker.A and Conficker.B.
- 01/20/09 Conficker seizes city's hospital network. Chris Williams.
- 01/21/09 Conficker USB Worm Spreading Quickly. Matthew Hines.
- 03/04/09 The Fascinating Conficker. MartinC.
- 03/03/09 Conficker Diary.
- 03/02/09 A New Downadup Variant? Patrick Fitzgerald.
- 02/12/09 Joint Effort at Conficker Disruption.
- 02/10/09 More tricks from Conficker and VM detection. Bojan Zdrnja.
- 01/26/09 Confounding Conficker. Pierre-Marc Bureau.
- 01/22/09 Downadup: Small Improvements Yield Big Returns. Elio Florio.
- 01/21/09 Network security industry opinion. Grant Hartline.
- 01/21/09 Conficker/Downadup Worm Dubbed 'Epidemic'. Chloe Albanesius.
- 01/20/09 Downadup: Geo-location, Fingerprinting, and Piracy. Patrick Fitzgerald.
- 01/19/09 Downadup: Peer-to-Peer Payload Distribution – Symantec Security Response Blog. Eric Chien.
- 01/12/09 Warning: Conficker worm infections gaining traction. Pedro Bustamante.
- 12/02/08 Time for forced updates? Conficker botnet makes us wonder. Joel Hruska.
|< Prev||Next >|